Computer networks have become ubiquitous. Computer networks include the Internet, Service Provider (SP) networks, private networks, and Local Area Networks (LANs). A network such as an SP network may include peripherally located Provider Edge (PE) routers, each of which couples to one or multiple Customer Edge (CE) routers. The PE routers are used to maintain routing and forwarding context for each customer. The CE routers may couple to private LANs associated with one or multiple customers.
Dynamic Host Configuration Protocol (DHCP) is a protocol used to enable individual computers on an Internet Protocol (IP) network to extract some of their configuration from a server (the ‘DHCP server’) or servers, in particular, servers that have no exact information about the individual computers until they request the information. The overall purpose of this is to reduce the work necessary to administer a large IP network. The most significant piece of information distributed in this manner is the IP address and default gateway.
An IP address (also called an IP number) is a number (typically written as four numbers separated by periods, i.e., 107.4.1.3 or 84.2.1.111), which uniquely identifies a computer that is making use of the Internet. The IP address is used by the Internet to direct data to a user's computer, e.g. the data the user's web browser retrieves and displays when a user surfs the net. One task of DHCP is to assist in the problem of getting a functional and unique IP number into the hands of the computers that make use of the Internet.
In a dynamic virtual local area network (VLAN), a switch locates the VLAN assignment of the device that is connected to its port and automatically assigns that port to the VLAN it locates. With network management programs it is possible to define a VLAN at the level of hardware address (MAC or Media Access Control), protocol, or even at the level of implementation. As an example, in a system wherein MAC addresses are entered to a central VLAN management implementation. When a device is connected to a port of a switch which is not assigned with a VLAN, the MAC address is requested from the VLAN database; then the VLAN value obtained is assigned to that port of the switch. If the user changes or the device that is connected to the port changes, a new VLAN value is requested, and then it is assigned to the port. If the database is created carefully, this reduces the burden of administration and configuration tasks for the administrator.
Most enterprises want to do more for security than simply employing usernames and passwords for access, so an authentication protocol, called the Extensible Authentication Protocol (EAP), was developed. EAP sits inside of the Point-to-Point (PPP) authentication protocol and provides a generalized framework for several different authentication methods. EAP is supposed to head off proprietary authentication systems and let everything from passwords to challenge-response tokens and public-key infrastructure certificates all work smoothly.
With a standardized EAP, interoperability and compatibility of authentication methods becomes simpler. For example, when a user dials a remote-access server (RAS) and uses EAP as part of its PPP connection; the RAS doesn't need to know any of the details about the user's authentication system. Only the user and the authentication server have to be coordinated. By supporting EAP authentication a RAS server gets out of the business of acting as middle man, and just packages and repackages EAP packets to hand off to a server that will do the actual authentication.
The IEEE 802.1x standard is a standard for passing EAP over a wired or wireless LAN. With 802.1x, EAP messages are packaged in Ethernet frames and don't use PPP. It's authentication and nothing more. This is desirable in situations in which the rest of PPP isn't needed, when the user is using protocols other than TCP/IP, or where the overhead and complexity of using PPP is undesirable.
In 802.1x the user or client that wants to be authenticated is called a supplicant. The actual server doing the authentication is called the authentication server, and the device in between, such as a wireless access point, is called the authenticator. One of the key points of 802.1x is that the authenticator can be relatively simple as all of the processing power can reside in the supplicant and the authentication server. This makes 802.1x ideal for wireless access points, which are typically small and have little memory and processing power.
The protocol in 802.1x is called EAP encapsulation over LANs (EAPOL). It is currently defined for Ethernet-like LANs including 802.11 wireless, as well as token ring LANs such as Fiber Distributed Data Interface (FDDI). There are a number of modes of operation, and an example is presented as follows.
a. An authenticator sends an “EAP-Request/Identity” packet to the supplicant as soon as it detects that the link is active (e.g., the supplicant system has associated with the access point).
b. The supplicant sends an “EAP-Response/Identity” packet to the authenticator, which is then passed on to the authentication (RADIUS) server.
c. The authentication server sends back a challenge to the authenticator, such as with a token password system. The authenticator unpacks this from IP and repackages it into EAPOL and sends it to the supplicant. Different authentication methods will vary this message and the total number of messages. EAP supports client-only authentication and strong mutual authentication. Strong mutual authentication is considered appropriate for the wireless case.
d. The supplicant responds to the challenge via the authenticator and passes the response onto the authentication server.
e. If the supplicant provides proper identity, the authentication server responds with a success message, which is then passed onto the supplicant. The authenticator now allows access to the LAN (possibly restricted based on attributes that came back from the authentication server). For example, the authenticator might switch the supplicant to a particular virtual LAN or install a set of firewall rules.
Dynamic VLANs are used with 802.1x authentication to move devices into the appropriate VLAN based upon user identity. After the user has been authenticated and moved into the appropriate VLAN, DHCP assigns the user device an IP address and other networking information to access the network.
Address Resolution Protocol (ARP) is a protocol for mapping an Internet Protocol address (IP address) to a physical machine address that is recognized in the local network. For example, in IP Version 4, the most common level of IP in use today, an address is 32 bits long. In an Ethernet local area network, however, addresses for attached devices are 48 bits long. (The physical machine address is also known as a Media Access Control or MAC address.) A table, usually called the ARP cache, is used to maintain a correlation between each MAC address and its corresponding IP address. ARP provides the protocol rules for making this correlation and providing address conversion in both directions.
In ARP, when an incoming packet destined for a host machine on a particular local area network arrives at a gateway, the gateway asks the ARP program to find a physical host or MAC address that matches the IP address. The ARP program looks in the ARP cache and, if it finds the address, provides it so that the packet can be converted to the right packet length and format and sent to the machine. If no entry is found for the IP address, ARP broadcasts a request packet in a special format to all the machines on the LAN to see if one machine knows that it has that IP address associated with it. A machine that recognizes the IP address as its own returns a reply indicating this. ARP updates the ARP cache for future reference and then sends the packet to the MAC address that replied.
VPNs provide a secured means for transmitting and receiving data between network nodes even though a corresponding physical network supporting propagation of the data is shared by many users (and VPNs). In a typical networking environment used for routing data, the environment may include a number of Customer Edge (CE) routers, a number of Provider Edge (PE) routers and a packet-switched network (PSN). Data, encapsulated in layer-2 frames, may be forwarded from a first CE router to a first PE router, from the first PE router across the PSN to a second PE router, and from the second PE router to a second CE router.
A Pseudowire (PW) may be utilized to transfer data across the PSN. A Pseudowire is a mechanism that emulates attributes of a service such as Asynchronous Transfer Mode (ATM), Frame Relay (FR), Point-to-Point Protocol (PPP), High Level Data Link Control (HDLC), Synchronous Optical Network (SONET) Frames or Ethernet over a PSN. The functions provided by the PW include encapsulating Protocol Data Units (PDUs) arriving at an ingress port, carrying them across a path or tunnel, managing their timing and order, and any other operations required to emulate the behavior and characteristics of the particular service.